Per-app-vpn and BSD sockets in 2021+

Question

Created Aug ’21

Replies 2

Boosts 0

Participants 2

Hello!

It's recently come to my attention that to take advantage of "per-app-vpn" we're required to use "Standard networking APIs" (in my world BSD is fairly standard, but I digress). The source base I work with is cross-platform, so Darwin-based platforms share source code with other Unix derivatives.

I found a forum answer [1] which says that we need to use an API to connect by name, and then points further to another answer [2] which would've likely solved our issue. However, in the time since the post was made the mentioned API has been deprecated [3] with no mention of a replacement.

What I would like to know if there's a currently supported way of connecting by name and also having access to the raw socket so that we can keep reusing our current code base with minimal changes (which helps with confidence in making patch releases for older, stable versions).

Alternatively, if there is no such solution: what is the recommended way to support per-app-vpn in our situation?

Thanks,

Mårten

[1] https://developer.apple.com/forums/thread/76448?answerId=225217022#225217022

[2] https://developer.apple.com/forums/thread/65108?answerId=187122022#187122022

[3] https://developer.apple.com/documentation/corefoundation/1539739-cfstreamcreatepairwithsockettoho

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’21

Accepted Answer

The SocketConnectedToHostname code should work for the foreseeable future. While CFStreamCreatePairWithSocketToHost has been deprecated, we’ve not announced plans to remove it.

FYI CFStreamCreatePairWithSocketToHost was deprecated for two reasons:

Under the covers it uses BSD Sockets, not the new user-space networking stack. That means it’s less efficient today, and that’s only going to get worse as time goes by.

That, btw, is a reason to move your own code off BSD Sockets, but that’s another story (-:
You can enable TLS on the socket stream, which is good, but it uses Secure Transport for TLS, which is not. All our modern TLS efforts, like TLS 1.3, are published via Network framework (and things layered on top of Network framework, like NSURLSession).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Aug ’21

I'm surprised my blank lines are ignored here.

Yeah, the comments field is best used for… well… short comments. If you want to create a reply with significant content, just create a reply [1].

I take there's no plans for or a current way to do this which isn't deprecated then?

Well, I’d consider all of BSD Sockets to be deprecated (-:

We haven’t formally deprecated BSD Sockets because:

We don’t plan to remove support for that API.
Deprecating it would cause a lot of churn.

Many folks using BSD Sockets have a good reason to do so — typically that’s because they share code with other platforms — and marking the API as deprecated would generate lots of warnings without much benefit.

Is there any rough eta. on its removal?

Nothing official.

I will say that CFSocketStream is a very popular API, and so I personally expect it to stick around for a long time. Notably, while folks don’t necessarily call it directly, there are wrapper libraries, like GCDAsyncSocket, that are very popular.

Been toying with the idea of replacing the "TLS socket" for Apple systems with the Network framework "socket"

IMO that’s the right thing to do. BSD Sockets is the wrong abstraction layer for (at least :-) two reasons:

It has no connect-by-name support, which is critical for modern networking environments.
You have to add your own TLS, when you should be using the system’s TLS support.

These factors are a big deal on Apple platforms but they’re also relevant on non-Apple platforms. Having every networking product on your platform carry around its own unique Happy Eyeballs and TLS implementations is a recipe for chaos.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] DevForums has lots of UI cues that cause folks to use comments rather than replies, a fact I’m trying to get fixed (r. 80839588).

1